{%- set allnode,etcdnode, extDomain=[],[],[] -%}

{%- for host in groups['master'] -%}
    {{ allnode.append(host) }}
{%- endfor %}
{%- for host in groups['worker'] -%}
    {{ allnode.append(host) }}
{%- endfor %}

{%- if groups['etcd'] is not defined %}
    {%- for host in groups['master'] -%}
        {{ etcdnode.append(host) }}
    {%- endfor %}
{%- else %}
    {%- for host in groups['etcd'] -%}
        {{ etcdnode.append(host) }}
    {%- endfor %}
{%- endif %}

{%- if kubernetes.ha is defined %}
    {%- if kubernetes.ha.vip is search("^[\d.]+$") -%}
        {{ allnode.append(kubernetes.ha.vip) }}
    {%- else -%}
        {{ extDomain.append(kubernetes.ha.vip) }}
    {%- endif -%}
{%- endif %}

{%- if kubernetes.ssl.extension is defined %}
    {%- for Domain in kubernetes.ssl.extension %}
        {%- if Domain is search("^[\d.]+$") -%}
            {{ allnode.append(Domain) }}
        {%- else -%}
            {{ extDomain.append(Domain) }}
        {%- endif -%}
    {%- endfor %}
{%- endif %}
[ req ]
default_bits = 2048
default_md = sha256
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign

[ v3_req_server ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth

[ v3_req_client ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth

[ v3_req_apiserver ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names_cluster

[ v3_req_etcd ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names_etcd

[ alt_names_cluster ]
DNS.1 = localhost
DNS.2 = kubernetes
DNS.3 = kubernetes.default
DNS.4 = kubernetes.default.svc
DNS.5 = kubernetes.default.svc.{{ kubernetes.settings.ClusterDomain | default(cluster.local) }}
{% if  extDomain | length > 0 %}
{% for Domain in extDomain | unique  %}
DNS.{{ loop.index + 5 }} = {{ Domain }}
{% endfor %}
{% endif %}
IP.1 = {{ kubernetes.settings.SvcIP }}
IP.2 = 127.0.0.1
{% if  allnode | length > 0 %}
{% for host in allnode | unique %}IP.{{ loop.index + 2 }} = {{ host }}
{% endfor %}
{% endif %}

[ alt_names_etcd ]
DNS.1 = localhost
IP.1 = 127.0.0.1
{% if  etcdnode | length > 0 %}
{% for host in etcdnode %}IP.{{ loop.index + 1 }} = {{ host }}
{% endfor %}
{% endif %}